Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes.
# of Caveats: 0 view caveats→
# of Usage Notes: 4 view notes→

Relevant Product Characteristics

  • This product is designed specifically with mental/behavioral health professionals in mind.
  • The leadership or management behind this product includes at least one mental/behavioral health professional.

What Is This Product?

Ivy Pay is a payment system designed exclusively for therapists and features instant payment, secure credit card storage, and progress notes. It is primarily for solo practitioners, although there is some support for group practices. The main interface is accessed through smart phones or tablet devices on android or apple platforms.  The practitioner never needs to touch the client’s credit card as Ivy Pay sends an SMS message to the client providing them a link to a secure web page to enter their credit card info.

***Person Centered Tech is not affiliated with Ivy Pay. 

Our impressions:

Ivy Pay has put a lot of thought into features and functionality that facilitate HIPAA security compliance, credit card security, and align with therapist’s ethical standards.

In order to sign up for the service, Ivy Pay will interview you and ask for your licensure information to ensure that you are licensed — or in the process of becoming a licensed practitioner.  

If you navigate out of the app, you need to re-enter your pin code each time, so that information is not left viewable if someone else picks up your phone or tablet.

We also like the fact that they consult with a panel of therapists regarding feature development, including security and privacy, and they have a mental health practitioner on staff.  They have done a fantastic job at limiting the information contained in SMS messages to clients, such that it does not identify or allow for the identification of their particular therapist.

It is worth mentioning that we greatly appreciate that they utilize our preferred terminology of HIPAA-secure as opposed to HIPAA-compliant. Could they have referenced our article, “HIPAA-Compliant” Is a Meaningless Phrase. Let’s Use “HIPAA-Secure”?!

**Please note that Person Centered Tech has received a high volume of calls looking for customer service from Ivy Pay. It seems as though they are difficult to get a hold of and have found many clinicians frustrated with their services.

This product offers a free service tier or a free trial account:

We encourage all clinicians interested in this product to try out the free trial or experiment with the free tier to see if it suits your needs.

If you discover anything of concern that isn’t addressed in this review yet, please tell Liath about it at [email protected].


Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.



Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Always do a proper collaborative risks analysis before using payment notifications

Ivy Pay automatically sends SMS text messages to the client for initially inputting credit card info, and when their card is charged.  This is essential to the product and there is no way for the service to work without using SMS text message. Fortunately, Ivy Pay does this without naming the therapist or including any information that could be used to determine the therapist’s identity and thereby significantly reduces the security and privacy risks that are typically present with payment related notifications.  However, it is an ethical responsibility for therapists to collaborate with their client if there is a risk — such as with a potential domestic abuser, who could see text messages coming from Ivy and then research that this is a payment service for therapists. We recommend engaging each client in a collaborative risk analysis to ensure it is safe for them to receive those text messages, prior to adding them as a client in Ivy Pay and initiating the sign-up invitation SMS message that Ivy Pay sends on your behalf.

2) Sign and Execute the Business Associate Agreement

Ivy Pay does not automatically execute a BAA with you — although they have it clearly posted on their website and it is viewable in the app for your smartphone or tablet. We recommend you request a signed version, which you can conveniently do through the settings menu within the app.

3) Avoid using progress notes for maintaining electronic records

Ivy Pay recently added a Progress Note field to enter notes after each session on your smartphone or tablet.  We recommend you consider a more fully featured practice management system for maintaining client notes if you want to maintain them electronically. However, it is a convenient and secure space to enter payment related notes.  If you decide to use the Progress Notes feature in Ivy Pay, you may want to set the ‘Privacy’ slider button to not show Progress Notes when viewing client list information. Fortunately, Ivy requires the therapist to enter a PIN each time they access the app, so if client information is left open, there will be a layer of protection if someone else picks up the device.

4) Use your HIPAA-friendly email account to receive reports from Ivy Pay

Ivy Pay can send some useful activity reports to your email on a regular basis.  We recommend that you use your HIPAA-friendly email account (one with a Business Associate Agreement in place) to receive the emails.  Ivy does a good job of obscuring client identity, but still uses client initials in the reports, which is considered PHI. If you have questions about what constitutes PHI, and what your responsibilities are for safeguarding it, we recommend checking out our CE for OH session: How to Identify HIPAA Protected Health Information: Finding Your Clients’ Sensitive Information Wherever It Goes (included in your membership.)



Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss